Data Processing Agreement

This DPA is a template summary for self-service review. For a counter-signed PDF, email hello@orderpier.comwith your contracting entity and your standard form (we'll counter-sign yours or ours).

1. Subject matter

OrderPierprocesses Customer Data (purchase orders, supplier metadata, contact details) as a processor on behalf of Customer (the controller) to provide the OrderPier service — extracting structured order data from emails and posting it into Customer's ERP.

2. Duration & nature

For the term of the Master Services Agreement plus a 30-day post-termination data- return window. Processing is automated, includes inbound email ingestion, LLM-based extraction, validation, and outbound API calls to Customer's ERP.

3. Instructions

OrderPier processes Customer Data only on documented instructions from Customer, including with regard to transfers outside the EEA, unless required by law.

4. Confidentiality

All personnel authorized to process Customer Data are bound by written confidentiality obligations.

5. Security measures (Article 32)

See our Security page for the technical and organizational measures applied. Includes: TLS 1.3 in transit, AES-256 at rest, PostgreSQL Row-Level Security with FORCE ROW LEVEL SECURITY, SSO + MFA for production access, immutable audit logging, documented incident-response plan.

6. Sub-processors

Customer authorizes the sub-processors listed at /legal/subprocessors. OrderPier commits to 30 days' advance noticeof any addition or material change; Customer may object in writing for legitimate data-protection reasons, and we'll work in good faith to resolve.

7. Data subject rights

OrderPier will assist Customer in responding to data subject requests (access, rectification, erasure, portability, objection) within seven business days of receipt.

8. Breach notification

OrderPier will notify Customer without undue delay and, in any case, within 48 hours of becoming aware of a Personal Data Breach affecting Customer Data, providing all reasonably available information to permit Customer to meet its own breach-notification obligations.

9. Deletion / return

On termination, Customer may request return or deletion of Customer Data; OrderPierwill delete or anonymize within 30 days, retaining only what is necessary to comply with legal obligations.

10. Audit

Customer may audit compliance once per twelve-month period, on 30 days' written notice, at Customer's expense, under NDA, during business hours. OrderPier satisfies this obligation in the first instance by providing its current SOC 2 report (when available) and security questionnaires.

Annex I — Parties

Controller: Customer entity as named on the Order Form. Processor: OrderPier, registered in the United States.

Annex II — Security measures

See /security.

Annex III — Sub-processors

See /legal/subprocessors, kept current.

Annex IV — International transfers

Transfers of Customer Data outside the EEA, UK, or Switzerland are made under the 2021 EU Standard Contractual Clauses (Module 2: Controller to Processor) and, where applicable, the UK International Data Transfer Addendum. Customer is the data exporter and OrderPier the data importer.